Intelligent Inline Protection in Real-Time at Wire-Speed
Threat Defender’s user- and device-centric threat intelligence and protection platform uses a behavior-based inline correlation engine to analyze tens of millions of packets and events in real time. Based on the behavior of users and devices, it dynamically enforces policies. This allows enterprises to respond to security threats much faster than traditional signature-based threat detection using static rules.
Threat Defender’s high-performance active packet processing engine uses the world’s first inline, real-time correlation engine that correlates all of a network’s external and internal communication (Flows, applications, security events, IoCs) to detect changes or abnormal behavior that occur over time and over many distinct flows/packets and allows to detect, block and isolate hidden threats using a flexible dynamic policy engine.
cognitix goes beyond the current network security paradigm of e. g. SIEM, firewalls (Next-Generation or UTM) and Intrusion Detection & Protection Systems (IDS/IPS) by integrating the major functions of each of these systems in an integrated inline real-time Threat Intelligence and Protection platform that uses a high-performance single-pass engine to detect and block threats inline and in real-time.
Behavior-based Correlation for Efficient Threat Detection and Defense
cognitix has redefined the language used for firewall rules to include additional conditions and actions, adding a method to track network traffic events over time. Event Tracking Tables monitor the properties of network communication across several traffic flows, and store and aggregate combinations of event properties. The resulting ability to correlate behavior of traffic forms the basis for Threat Defender’s granular and precise risk mitigation.
Threat Defender protects the network from internal and external threats or attacks while operating completely transparent to the existing network infrastructure, regardless of whether it is installed at the perimeter or inside the network. Threat Defender comes in software-only or appliance form factors that can scale up to 40 Gbps.
The inline real time packet engine operates at layers 2 to 7 and is capable of correlating tens of millions of flows in real-time and inline.
It uses an innovative new approach to network segmentation which consists of using Dynamic network objects use machine learning to dynamically segment the network and place devices in different network segments automatically, based on their behavior rather than based on the physical location in the network as legacy solutions do.
Threat Defender collects Threat Intelligence from open source and commercial cyber-security threat feeds, deduplicates and normalizes them to extract IoCs which it then integrates into its real-time inline packet engine. Using Indicators of Compromise (IPs, URLs, Domains, File Hashes, Emails, etc.) that are updated every few minutes and which represent the latest attacks detected on a global scale, Threat Defender is able to provide network security administrators with actionable cyber-threat intelligence which can be blocked in real-time or used in further behavior correlation.
Threat Defender permanently updates its IoC feed as well as its IPS and application signatures and URL database.
Adding additional contextual parameters like geolocation, User-ID, WHOIS, IoC TTPs to contextualize and enrich network data to provide the user with actionable real-time Threat Intelligence.
Correlating network flows connects seemingly unrelated events and discovers hidden relationships to reveal the full scope of a potential attack and to block threats inline and in real-time.
Main Features of Threat Defender:
Collect IoCs from different open source or commercial Cyber-Threat Feeds to automatically deliver the latest actionable threat intelligence to Threat Defender’s packet engine for analysis and protection.
Correlate (remembering, relating and connecting past and present network flows, events and activities) in real-time and inline tens of millions network flows to discover hidden relationships in them and to connect seemingly unrelated benign events to reveal the full scope of a potential attack.
Enrich and contextualize network data and information by adding to it contexts such as geolocation, user ID (when available), WHOIS, URLs, Domains, security events (IPS, IoCs, content, IP&URL reputation, …).
Analyze all network, user, security and threat behavior inline and in real time.
Supported Firewall Features of Threat Defender
Single pass correlation engine
Analysis of flow features on layers 2-7
Evaluation of conditions/ characteristics of traffic flows between source and destination network objects
Dynamic network objects
Full IPv6 and IPv4 support
Supported Rule Actions
Network flow manipulation (Allow, Continue, Drop, Reject (TCP reset))
Log to Syslog and IPFIX
Update Dynamic Network Objects
Update Event Tracking Table (in Correlation Scenarios)
Logging support using Syslog (structured and plain) and IPFIX protocols
Compatible with other systems (e.g. with Splunk, ELK)
Match flows on up to 1.5 million indicators of attack/compromise (IoA and IoC)
Correlates indicators from high quality TI feeds to reduce false-positives, updated hourly
Supported Rule Conditions
Transport layer protocol
Transport layer port
Classification based on layer 2-7 protocols and applications
URL category and reputation
Source and destination country (geo location)
Data Leakage Prevention (DLP)
Event Tracking Table evaluation
(in correlation scenarios)
Global or per host shaping scope